Latest Threats

2017 Annual Security Roundup

The top security events of the past year make this apparent — and their repercussions make the implementation of smart protections all the more important.View the 2017 Annual Security Roundup

2018 SECURITY PREDICTIONS

Today's increasingly interconnected environments pave the way for threats that will bank on systems' weaknesses for different forms of cybercrime. How can you prepare for the year ahead?View the 2018 Security Predictions

Spectre Next Generation: New Intel CPU Vulnerabilities Found

Following January’s reports of Meltdown and Spectre affecting Intel processors, security researchers found eight new vulnerabilities in Intel processors. As Google Project Zero’s 90-day deadline ends on May 7 for companies’ disclosure of technical details and solutions, the flaws — named Spectre Next Generation or Spectre NG — were characterized as similar to the previous Spectre attack scenarios. Four of the flaws were rated as “high” risk and the rest are of “medium” severity.

Each vulnerability will have their own number in the Common Vulnerability Enumerator (CVE) directory. Intel patches will come in two waves, with one in May and the next in August. Linux developers are working on measures against Spectre as well, while Microsoft is preparing patches for the said vulnerabilities, which they will distribute as optional updates. Further, Microsoft is also offering $250,000 in a bug bounty program for more unknown Spectre-related flaws. Advanced RISC Machine (ARM) CPUs from Japan’s Softbank’s ARM Holdings are speculated to also be affected by these new vulnerabilities, while Advanced Micro Devices’ (AMD) architecture is still being examined.

Spectre NG is similar to the previously patched flaws, allowing third parties to extract sensitive information such as passwords stored in memory. However, one of the new variants reportedly simplifies attacks across the system’s restrictions by running an exploit code in a virtual machine (VM) and attack the host system from there, or attack VMs of other clients running on the same server.

While users previously felt discouraged to update their systems with distributed patches addressing these vulnerabilities because it could slow down their systems’ performance, Intel released a statement to address the issue and encourage all users to keep systems updated. Just like the January attacks of Spectre and Meltdown, the following recommendations still serve as best practices:

Update the firmware from reliable vendors and regularly check for available security updates

New information suggested that Intel requested to postpone the publishing of the vulnerabilities' technical details, and it seems that Google Project Zero agreed to the delay. Due to the number of affected systems, the company is seen having problems getting the patches out in time for May 7 and intends to do the coordinated release of the microcodes on May 21 or July 10 with the details of at least two variants. Likely affected systems include Core processors, Xeon spinoffs, Atom-based Pentium, Atom and Celeron CPUs released since 2013, which affects desktops, laptops, smartphones and other embedded devices. The August 14 patch will likely address the most serious vulnerability affecting cloud environments, and Intel is reportedly releasing hardware and software improvements for other manufacturers and vendors to implement.